Apache bug prompts update advice
By Colin Ho, ZDNet.com.au
08 March 2010 05:38 PM
Tags: apache, bug, exploit, root kit, sense, security, vulnerable, attack
IT security company Sense of Security has discovered a serious bug in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database.
(Screenshot by Colin Ho/ZDNet.com.au)
Discovered by the company's security consultant Brett Gervasoni, the vulnerability exists in Apache's core "mod_isapi" module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security.
Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit.
According to Sense of Security spokesperson Jason Edelstein, Apache is one of the most popular pieces of web server software used today and the vulnerability was one of the most significant bugs in Apache for years.
"The vulnerability means that you can take complete control of the web server remotely with system privileges — which is the highest privilege on Windows," Edelstein told ZDNet.com.au. "An attacker could gain access to, modify and take away data."
Edelstein advised users running Apache on Windows platforms to upgrade immediately as users have no way of knowing if their web servers have been compromised. The company's security advisory can be accessed here.
"Whilst in the past it was more overt and attackers would deface website pages, they're more likely now to conceal their access to maintain their foothold," said Edelstein, giving examples of attackers potentially exploiting the vulnerability by placing hidden pieces of code to capture credit card details from online transactions and install root kits on compromised websites.
"The latest version is not vulnerable," said Edelstein.
He added that an attacker would need a high degree of technical know-how to successfully exploit the vulnerability.
"You'd need to write a piece of code, a high level piece of code, which is quite difficult to create, and find a condition in the web server," said Edelstein.
"A proof of concept remote exploit has been written by Sense of Security, and it is feasible that others could write a similar exploit to completely compromise a Windows system," said Brett Gervasoni.